When the only answer is mitigation
When it comes to old systems, there might not be anyone around with the needed knowledge to fix the code. According to a survey released last November by technology services company Advanced, 42% of companies that use mainframes say that their most prominent legacy language is COBOL, with another 37% still using Assembler.
“Never mind the job market. It’s hard to find people alive with obsolete programming language skills like COBOL,” says Paul Brucciani, cyber security advisor at WithSecure.
Another issue is when the source code has been lost. “You’d be surprised by the [number of] organizations running on ancient software that can’t be updated because they lost the source code,” Brucciani tells CSO.
In some cases, the applications are too important to touch because the risk of breaking them is too high and replacing them would cause too much disruption. “Not all legacy code and applications can be removed when discovered. In many cases, critical business processes rely on features and workflows that are performed by the legacy systems,” says Cymulate’s DeNapoli.
Software vulnerabilities might also not get fixed because of insufficient time or resources, or because of compliance considerations, but still pose a risk if exploited. In these cases, companies should put mitigation measures in place around the vulnerable systems. Firms will need to use other strategies such as implementing or strengthening compensating controls.
Zero trust architectures, network segmentation, and an increased focus on authentication can help lower the risk that a vulnerable application is exploited. “There’s a broad trend to put everything behind an authentication layer,” says Veracode’s Eng. “That’s happening regardless of how old the code is.”
Other mitigation strategies include encryption, firewalls, security automation, and dynamic data backups.
Automation to find old code and create safer code
The latest solution to the problem of vulnerable old code involves new advances in artificial intelligence. We already have generative AI tools that can write new code, but vendors are also working on specialized AIs that are specifically trained in fixing vulnerabilities. “AI can suggest a fix and then developers can tweak that a bit,” says Eng.
The problem is that when companies use the big, public large language models, those models are trained on everything, including the bad stuff. “As they used to say, garbage in, garbage out. Inevitably, the code that is generated by those models is also going to contain vulnerabilities. So, the code will be produced faster — but it will still have errors,” Eng adds.
Veracode is building its own AI based on its own, vetted code. “We generate vulnerable code, and good code, and train the model on each of those categories,” Eng says. “Then we know for sure that what’s coming out is not being pulled from some random developer’s Github repository.”
Veracode Fix was launched this past April and, according to the company, the product can generate fixes for 72% of flaws found in Java code, which can dramatically speed up remediation efforts for companies.
At some point, larger enterprises will probably want to build their own, customized, AI tools. “They want to generate fixes in the style of code that they use,” Eng says.
But that doesn’t mean that companies should sit back and wait until AIs can come and solve all the problems. “With the amount of security debt that most organizations have, even if you just work on the most severe stuff now, you’re not going to run out of stuff to do,” he says.